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Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but we 
use (small) matrices over a group ring of a (small) symmetric group as the platform. This 
"nested structure" of the platform makes computation very efficient for legitimate parties. 
We discuss security of this scheme by addressing the Decision Diffie-Hellman (DDH) and 
Computational Diffie-Ifellman (CDH) problems for our platform. 



1. Introduction 

The beginning of public key cryptography can be traced back to the paper by Diffie and 
Hellman [2]. The simplest, and original, implementation of their key exchange protocol uses 
Z*, the multiplicative group of integers modulo a prime p, as the platform. There is also a 
public element g G Zp, which is a primitive root mod p. The protocol itself is as follows: 

(1) Alice chooses an integer a, computes A = g"" mod p and publishes A 

(2) Bob picks an integer b and computes B = g^ mod p, and publishes B 

(3) Alice computes Ka = B"^ mod p 

(4) Bob computes Kb = A^ mod p 

Both Alice and Bob are now in possession of a secret shared key K, as g""^ mod p = 
gha j^Q^ p hence K := Ka = Kb- 

The protocol is considered secure provided G and g are chosen properly, see e.g. [5J for 
details. In order to recover the shared secret key, the eavesdropper Eve must be able to 
solve the Diffie-Hellman problem (recover g""^ from 5,(7° and g^). One could solve the Difiie- 
Hellman problem by solving the discrete logarithm problem, i.e., by recovering a from g and 
g"". However, it is unknown whether the discrete logarithm problem is equivalent to the 
Diffie-Hellman problem. 

We should note that there is still the "brute force" method of solving the discrete logarithm 
problem. The eavesdropper can simply start computing successively higher powers of g, until 
they match g"". This requires at most l^l multiplications, where \g\ is the order of g in the 
group G. It is usually the case however that l^l ~ lO^*"^ and hence this method is considered 
computationally infeasible. 

Initially it may seem that the legitimate parties, Alice and Bob, will also have to perform 
a large number of multiplications, thus facing the same problem as the eavesdropper does. 
However, as the legitimate parties are in possession of a and 6, they can use the "square and 
multiply" algorithm that requires 0(log2 a) multiplications, e.g. (7^'' = (((5^)^)^)^ • ((5^)^)^ • 
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There is some disadvantage to working with Zp, where p, a, and b are chosen to be fairly 
large. Computation with 300-digit numbers (or 1000-bit binary numbers) is not particularly 
efficient, and neither is reducing the result modulo p. This is one of the reasons why the Diffie- 
Hellman key agreement protocol with recommended parameters is not suitable for devices 
with limited computational resources. Hence, there is an ongoing search for other platforms 
where the Diffie-Hellman or a similar key exchange can be carried out more efficiently, in 
particular with public and/or private keys of smaller size. 

The platform that we are proposing here is the semigroup of matrices (of a small size) over a 
group ring, with the usual matrix multiplication operation. More specifically, we are working 
with matrices over the group ring Z„ [Sm] , where Z„ is the ring of integers modulo n and Sm is 
the symmetric group of degree m. To verify the security of using such a semigroup of matrices 
as the platform, we address the Computational Diffie-Hellman and Decision Diffie-Hellman 
problems (Section [s]), along with questions about the structure of this semigroup. 

Parameters that we suggest (2 x 2 or 3 x 3 matrices over Z7[S'5]) provide for a large key 
space (T^®'' ~ ]^q406 2x2 matrices and 7^"^'' ~ 10^^^ for 3x3 matrices). Storing a single 
2x2 matrix over Z7[S'5] takes about 1440 bits, and a single 3x3 matrix about 3240 bits, so 
keys are of about the same size as in the "classical" Diffie-Hellman scheme (storing an integer 
of size about 10^*^*^ requires 997 bits). These storage requirements can be reduced by ^th if 
we do not store polynomial terms which have a as their coefficient, thus bringing the key 
size down to about 1230 bits for 2x2 matrices and to about 2780 bits for 3x3 matrices. 

What we believe is one of the main advantages of our platform over the standard Zp plat- 
form in the original Difhe-Hellman scheme is that the multiplication of matrices over Z7[S'5] 
is very efficient. In particular, in our setup multiplying elements is faster than multiplying 
numbers in Zp for a large p. This is due to the fact that one can pre-compute the multiplica- 
tion table for the group 5*5 (of order 120), so in order to multiply two elements of Z7[5'5] there 
is no "actual" multiplication in 5*5 involved, but just re-arranging a bit string and multiplying 
coefficients in Z7. Also, in our multiplication there is no reduction of the result modulo p 
that slows down computation in Zp for a large p. Informally speaking, the "nested structure" 
of our platform (small matrices over a group ring of a small group 5*5 over a small ring Z7) 
provide for more efficient computation than just using Zp with a very large p. 

From a security standpoint, an advantage of our platform over the group Zp, or elliptic 
curves, is that "standard" attacks (baby-step giant-step, Pohlig-Hellman, Pollard's rho) 
do not work with our platform, as we show in Section [6j Furthermore, our platform proves 
secure against Shor's quantum algorithm which is a common pitfall on classical Diffie-Hellman 



algorithms, see Section 6.3 



2. Group Rings 

Definition 2.1. Let G be a group written multiplicatively and let R be any commutative ring 
with nonzero unity. The group ring R[G] is defined to be the set of all formal sums 



E 



where ri G R, and all hut a finite number of ri are zero. 
We define the sum of two elements in R[G] by 
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Note that (oj + 6j) = for all but a finite number of z, hence the above sum is in R\G\. 
Thus is an abelian group. 

Multiplication of two elements of is defined by the use of the multiplications in G 
and R as follows: 



XI '^^s^ X ^'S'* = X X "j^*^ 

\9i^G j \gieG / Qi^G \gj9k=9i J 

As an example of a group ring, wc consider the symmetric group 5*5 and the ring Z7 and 
form the group ring Z7[S'5]. We will write the identity element of Sm as e. Sample elements 
and operations are 

a = 5(123) + 2(15)(24) + (153) 

6 = 3(123) +4(1453) 

a + b= (123) + 2(15)(24) + (153) + 4(1453) 

ab = (5(123) + 2(15)(24) + (153))(3(123) + 4(1453)) 

= 15(132) + 20(145)(23) + 6(14235) + 8(124)(35) + 3(12)(35) + 4(1435) 

= (132) + 6(145)(23) + 6(14235) + (124)(35) + 3(12)(35) + 4(1435) 

ba = (3(123) + 4(1453))(5(123) + 2(15)(24) + (153)) 

= 15(132) + 6(15243) + 3(15)(23) + 20(12)(345) + 8(13)(254) + 4(1345) 

= (132) + 6(15243) + 3(15)(23) + 6(12)(345) + (13)(254) + 4(1345) 

Now that group rings have been defined, it is clear how to define M2(Z„[S'm]), the ring 
of 2 X 2 matrices over the group ring 7jn[Sm\- We are only going to be concerned with 
multiplication of matrices in this ring; as an example using the same a and b defined above, 
we can define 



Ml = 



a 
e 



M2 = 



b 




M1M2 



Then 

ab 2a 
b e + ba 

ab 

3(123) + 4(1453) 
where ab and ba are computed above. 



3(123) + 4(15)(24) +2(153) 
e + ba 



3. Computational Diffie-Hellman and Decision Diffie-Hellman 

Recall that in the Diffie-Hellman key exchange Alice and Bob want to establish a secret 
shared key. Alice chooses a finite group G and an element g of the group G. Alice then 
picks a random a and publishes {g,G,g"'). Bob also picks a random b and publishes {g''). 
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Alice's and Bob's secret key is now g°'^, which can be computed by both of them since 
9°''^ = {g"")^ = {g^Y- The security of the Diffie-Hellman key exchange rehes on the assumption 
that it is computationahy hard to recover g"'^ given {g,G,g°',g^). 

A passive eavesdropper, Eve, would try to recover g""^ from {g,G,g"',g^). One defines 
the Diffie-Hellman algorithm by F{g,G,g"',g^) = g""^ . We say that a group G satisfies the 
Computational Diffie-Hellman (CDH) assumption if no efficient algorithm exists to compute 
F{g,G,g'',g^) = g"^. More precisely. 

Definition 3.1. A CDH algorithm F for a group G is a probabilistic polynomial time algo- 
rithm satisfying, for some fixed a > and all sufficiently large n, 

P[F(5,G,5^/) = <7"1>^. 

The probability is over a uniformly random choice of a and b. We say that the group G 
satisfies the CDH assumption if there is no CDH algorithm for G. 

Even though a group may satisfy the CDH assumption, CDH by itself is not sufficient to 
prove that the Difhe-Hellman protocol is useful for practical cryptographic purposes. While 
Eve may not be able to recover the entire secret, she may still be able to recover valuable 
information about it. For example, even if CDH is true. Eve may still be able to predict 80% 
of the bits of (7"'' with reasonable confidence [T] . 

Hence if we are using g""^ as the shared secret key, one must be able to bound the information 
Eve can extract about it given g, g"" and g^ . This is formally expressed by the much stronger 
Decision Diffie-Hellman (DDH) assumption. 

Definition 3.2. A DDH algorithm F for a group G is a probabilistic polynomial time algo- 
rithm satisfying, for some fixed a > and all sufficiently large n, 

P[F(g,G,<7^5^5"') = "Trne"] - P[F(5, G, 5", 5', <?^) = "Trne"]| > ^. 

The probability is over a uniformly random choice of a, b and c. We say that the group G 
satisfies the DDH assumption if there is no DDH algorithm for G. 

Essentially, the DDH assumption implies that there is no efficient algorithm which can 
distinguish between the two probability distributions [g"" , g^ , g""^) and {g"" , g^ , g'^) , where a, 6 
and c are chosen at random. 

4. Diffie-Hellman key exchange protocol using matrices over 'Ln[Sm] 
While 

Sm is a relatively small group for small ttt,, the size of the group ring Wjn\Sm\ grows 
reasonably fast, even for small values of n and m. This is one reason we chose to look at 
the Diffie-Hellman key exchange protocol using these group rings. We propose to work with 
the group ring ZyfS's], which has the size 7^' = 7^^*^. The next step is to work with matrices 
over these group rings. Hence, say, the semigroup M3(Z7[55]) of 3 x 3 matrices has the order 
(75!)9 ^ 10913. This semigroup of matrices can now serve as the platform for the Diffie- 
Hellman key exchange protocol. The procedure Alice and Bob carry out is essentially the 
same. 

Alice chooses a public matrix M G M'i{'L-j[S^]) and a private large positive integer a, 
computes M", and publishes {M,M"-). Bob chooses another large integer 6, and computes 
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and publishes (M^). Both Ahce and Bob can now compute the same shared secret key 
K = {M^f = {M^y. 

As we have aheady mentioned in the Introduction, multiphcation of matrices in the semi- 
group M3(Z7[5'5]) is very efficient, and, of course, in this semigroup, as in any other semigroup, 
we can use the "square and multiply algorithm" for exponentiation. 

To assess security of our proposal, we should address the two Diffie-Hellman assumptions, 
CDH and DDH. We investigate the (stronger) DDH assumption experimentally in Section [s] 

Finally, some of the algebraic properties of M3(Z7[S'5]) will be investigated. 

5. Experimental results 

The CDH assumption can only be answered theoretically, but the DDH assumption can 
be investigated experimentally. To construct our matrix semigroups we implemented the 
necessary group ring procedures in C++. We have the choice of which symmetric group 
to use and which ring Z„ to use as well. Next we used a standard uniform distribution 
implementation to allow for a random selection of an element from our group ring. Finally, 
we constructed random k x k matrices over our group ring. Experiments were carried out 
with various group rings Mfe(Zn[S'm])- 

We propose the use of 5*5 as the group for our experiments since its underlying structure 
is understood and simple. When constructing the semigroup Z„[(S'5], one has the benefits of 
using the group ^5 as a building block. Namely, the group 55 has the advantage of having 
only one normal subgroup, ^5, which has index 2 in ^5. Hence, trying to get some information 
about a from M" by applying a non-trivial group homomorphism is limited only to the sign 
homomorphism to Z2 of a symmetric group. 

We naturally implemented a "square and multiply" routine to speed up computations for 
exponentiation. With this procedure we can compute high powers of random matrices from 
our matrix semigroups fairly quickly, see Table [T] 

We note that the computations were carried out on an Intel Core2 Duo 2.26GHz machine, 
utilizing only one core, with 4GB of memory and the times were computed as an average 
time after 250 such exponentiations. No optimizations were in effect and only one processor 
was used. Thus computational time may be reduced significantly by using more than one 
core and by implementing any available optimizations for DH using our scheme. 

As a comparison for computational times, we refer to recent results of [1] claiming new 
speed records for DH implementations. In the paper, an implementation of the DH signature 
exchange protocol over the elliptic curve P-224 is presented. Without any optimization they 
can carry out 1800 operations per second for the DH protocol, on a somewhat more powerful 
computer than ours. Recall that in P-224 you require approximately 340 operations for a 
single "exponentiation". Hence, they require about 0.2 seconds per DH exponentiation versus 
our 0.6 seconds in M2(Z7[55]). 

One additional thing we noticed was that the speed of computation is independent of the 
number of nonzero terms in the entries of our matrices M. One possible intuitive explanation 
is based on the fact that any symmetric group can be generated by a set of 2 particular 
elements. Since we selected 9 (or 4) random group ring elements for each matrix, there is 
a high probability that we have selected a pair of group elements that will generate all of 
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Table 1. Speed of Computation 
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our symmetric group. Once we liave multiplied M by itself a few times we get group ring 
elements of random length mixing throughout the matrix entries. 

Random group ring elements from Z2[5'5] have coefficients cither or 1 for each of the 
120 elements oi S^. A simple binomial distribution calculation shows that with probability 
around 93% a random element of this group ring has a total number of nonzero terms between 
50 and 70. 

5.1. Experimental results on the Decision Diffie-Hellman assumption. We should 

note that for those experiments that were carried out using 2x2 matrices, it is reasonable 
to assTimc that if the results hold in the smaller matrix size, they will also hold for 3x3 
matrices. In order to test the DDH assumption we need to look at the two distributions: 
one generated by {M°- \,M"^) and the other generated by {M"',M^,M'^) for a random c. 
Ideally, we would like the two distributions to be indistinguishable. 

To verify that, we have run the following 3 experiments. In the first experiment, we verify 
that, as the common sense suggests, M"^ has the same distribution as M*^. In the second 
experiment, we verify that M"" is distributed "uniformly" , i.e., like a randomly selected matrix 
A^. A "randomly selected" matrix here means a matrix whose entries are random elements of 
the platform group ring. In turn, a random element of the group ring is selected by selecting 
each coefficient uniformly randomly from the ring of coefficients (in our case, from Zy). 
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Combining the results of these two experiments, we see that each component in the triple 
(M", M'', M"'') is uniformly distributed (for random a,b) in the sense described above. Now 
our final experiment verifies that the whole triple {M"" , , M"''') is distributed like a triple 
of independently selected random matrices {Ni, N2, N^), and therefore the distribution is 
indistinguishable from that of {M"', M^, M'^) since the latter, too, is distributed like a triple 
of independently selected random matrices according to the previous experiments. 

A more detailed description of the three experiments is below. 

In the first experiment, we picked a and b randomly from the interval [10^^, 10^^], and c 
randomly from [lO'^'*, 10^^], so that c had about the same size as the product ab. To get a 
clearer picture of how different or similar these final matrices were, we looked at each entry 
of the matrix. For each choice of a random matrix M and random a, b, and c we computed 
the matrices M"^ and M'^. This was repeated 500 times and we created a table that was 
updated after each run with the distribution of elements of 6*5 for each entry of the matrix. 
We were working with M2(Z7[S'5]). 

After 500 runs we created Q-Q plots of entries of M""^ versus entries of M^, where we use the 
notation M = (alal)- Q-Q plots (or quantile plots) are a graphical method of comparing the 
quantiles of the cumulative distribution function (cdf) F versus the corresponding quantiles 
of the cdf G. The functions are parameterized by p, where p S [0,1]. One axis represents 
F~^{p) and the other axis represents G~^{p). If the two cdf's are identical, then the Q-Q 
plot will be that oi y = x. It will also be a straight line if the distributions are of the same 
type, but have different mean and standard deviation, see [3] for more details. 

As can be seen from Figure [T| it appears that the distributions of each of the matrices 
and W are indeed identical, which experimentally confirms what the common sense 
suggests. 

In the second experiment, we verify that M° is distributed "uniformly" , i.e., like a randomly 
selected matrix N . We also verify thereby that no information is leaked about a by publishing 
M", for a given M. The experimental setup was similar to the previous one, only here we 
chose two random matrices M and A'^, and a random integer a G [10^^,10^^]. Again we 
produced a Q-Q plot for the two distributions, see Figure [2| From the plot, it is clear that 
M" is indistinguishable from a random matrix N . 

Finally, we ran a third experiment to ensure the independence of matrix entries from one 
another in the triple (M",M^M"''') by comparing its distribution to that of the triple of 
independently selected random matrices (A'^i, N^). This is a valid and important question 
to ask as the information contained within the first two elements of the triple, which were 
shown to be random previously, may affect M"^ in a predictable way. To this end, we ran 
30, 000 experiments four times, where for each element of we counted the frequency of 
coefficients of Z7 that occurred in the entries of each of the matrices in (M", M'', M"''). We 
used the same M in each experiment, but varied a and b. 

More specifically, we formed triples (one entry for each entry of the triple of matrices) 
consisting of the concatenation of the coefficients in the respective entry of the matrices for 
the same element of S^. For example, if the coefficient at the same element of in the upper 
left corner entry of the first matrix is 0, in the second matrix it is 5, and in the third matrix it 
is 1, then the concatenated coefficient is 051. Thus, there is a total of 7'^ = 343 concatenated 
coefficients. 
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Figure 1. DDH results for vs. W 

We counted the occurrence of such triples throughout the experiments for random choices 
of a and h in the same range as in the previous experiments. We hypothesized that these 
coefficient triples would be uniformly distributed over Z^, each occurring with probability 
1/7'^. Since we performed 30,000 such experiments (four times), we anticipated that each 
element of this distribution would show up approximately 30,000/7'^ ~ 87 times. 

We reproduced a section of these results in the Table [2} where we only used a portion 
of the table for the a\\ entry of the matrices because of the space constraints. Results for 
other entries are similar. The columns represent elements of 5*5 (i.e., in the full table there 
would be 120 columns), the rows represent concatenated coefficients of the triples from 
(i.e., in the full table there would be 7^ = 343 rows), and the values in the table show the 
frequency of occurrence of the coefficients. All tables have the same "random" structure, and 
it can be seen that there appears to be no particular skew in the expected uniformity of the 
distribution of these coefficients, which allows us to conclude that the distribution of triples of 
all respective coefficients in (M", M^, M°^') is, indeed, uniform on Z^. Since each component 
in the triple is itself uniformity distributed (as evidenced by our first two experiments), it 
follows that is distributed independently of (M'',M*). 
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Figure 2. DDH results for vs. M' 



Table 2: Distribution of coefficient triples 
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5.2. Experimental results on low orbits. Here we address the following "low orbits" 

question: we want to make sure that powers of the public matrix M in our semigroup do 
not end up in an orbit of low order. This means that if Alice chooses a random integer a, 
we cannot have = M*^, for n < A; << a (similarly for h chosen by Bob). If this were the 
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case, then the eavesdropper Eve could first determine n and k, then she could find the values 
of c and d, where 1 < c, d < A;, such that M" = and = M^. The shared secret key 
then could be computed as 

This is similar to the problem of finding a generator (i.e., an element of maximum order) in 

the multiplicative group of Zp, the original platform for the Diffie-Hellman protocol. Since 
we are dealing with a semigroup (of matrices) where most elements are not invertible and 
therefore do not have an "order" in the usual sense, we consider those orbits instead. 

While it is conceivable that for a random matrix from ^7(55] the length of such an orbit 
is going to be huge, we realize that when we are providing Alice and Bob with a matrix M, 
we have to at least have some solid lower bound for the length of an orbit for powers of M. 
Here is one possible approach. 

The matrix M will be a product of two matrices: M = Mi ■ S, where Mi is a random 
invertible matrix from Z7[5'5], and 5 is a "scalar" matrix that has zeros off the diagonal and 
each element on the diagonal is s = {3 + gi){3 + g2){3 + g3){3 + g4){3 + g5){3 + gQ){5 + h). Here 
gi are elements of 5*5 that generate different subgroups of order 5, and /i is a product of a 
2-cycle and a 3-cycle. The element s is not invertible because it is a zero divisor. To sec this, 
write (5 + h) as {h - 2) and multiply it by Ei+i=5 to get {h^ - 2^) = since = 2'^ = 1 
in our group ring. Therefore, the matrix S is not invertible either. We have run a computer 
program trying to detect an orbit generated by powers of S. While our program has not 
terminated in the allotted time (several weeks), we know that there are no orbits up to s^" . 
Then, for a random invertible matrix Mi, we have just computed powers of Mi up to M-l^ , 
and none of these powers was the identity matrix (or even a diagonal matrix) . We note that 
looking for orbits going through powers of a non-invertible matrix M would consume much 
more resources and was, in fact, infeasible beyond M^^ given our computational resources. 
This is because once each power of M is computed, it needs to be stored and eventually 
compared to all other powers of M. For an invertible matrix Mi, on the other hand, we do 
not need to store any powers to find its order. 

Now we claim that with overwhelming probability, if we have a random invertible matrix 
Ml with the property that the powers of Mi up to 10^° are not diagonal matrices, then the 
powers of Mi -S" up to 10^'' do not have any orbits. To see this, let us assume that the matrices 
Ml and S commute; if our claim is valid under this assumption then it is also valid without 
this assumption since adding a relation Mi 6* = 5Mi is like considering a homomorphic image: 
equalities will be preserved. 

Suppose now that we have (MiS)"' = (MiS)"^^ for some positive integers n,k, with 
k < 10^°. If Ml and S commute, this yields Mi"5" = M^^''S'^+''. Since Mi is invertible, we 
can cancel Mf and get = M^S"'^'', and then 

(Mf 5*^ -I)-S'' = 0, 

where I is the identity matrix and O is the zero matrix. While it is possible that the product 
of two nonzero matrices is the zero matrix, the probability of this to happen is negligible, given 
that the matrix M^S^ — I is not even diagonal (with overwhelming probability) if A; < 10^^, 
as our experiments suggest. The matrix S", on the other hand, is diagonal; therefore, for the 
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displayed equality above to hold, every non-zero element Uij of the matrix {M^S^ — I) has 
to be a zero divisor such that Ojj • r = 0, where r is the element on the diagonal of the matrix 
5" (the latter is obviously a scalar matrix). This (somewhat informal) argument shows that 
k > 10^" with overwhelming probability. We realize that this lower bound may not be very 
impressive, but more convincing lower bounds may be based on less convincing arguments. 
We believe that, in fact, k > 10^^ with overwhelming probability, but at the time of this 
writing we do not have a convincing argument to support that belief. 

To conclude this section, we say a few words about sampling invertible matrices. There 
are several techniques for doing this; here we give a brief exposition of one of them. We start 
with an already "somewhat random" matrix, for which it is easy to compute the inverse. An 
example of such a matrix is a lower /upper triangular matrix, with invertible elements on the 
diagonal: 

/ gi ui U2\ 

U = [0 92 U3 . 

VO 53/ 

Here gi are random elements of the group 5*5 , and Ui are random elements of the group ring 
Z7[S'5]. We then take a random product, with 20 factors, of such random invertible upper 
and lower triangular matrices, to get our invertible matrix Mi. 

6. "Standard" Attacks 

In this section, we discuss why three "standard" attacks on the "classical" discrete loga- 
rithm problem do not work with our platform semigroup. 

6.1. Baby— step giant— step algorithm. One known method of attacking the "classical" 
discrete logarithm problem, due to Shanks j8], is the baby-step giant-step algorithm. The al- 
gorithm computes discrete logarithms in a group of order q'uiO (y^ polylog(g)) time, where 
polylog(g) is 0{{\og{q)Y) for some constant c. If adapted to our situation, this algorithm 
would look as follows. 

Baby-step giant-step algorithm 

Input: Af, A e AUMS^]), n = \M:,{%,[S^\)\ 
Output: 2; e N, 9 W = A 

Set s := \\/n\ 
Set t := \n/s] 
for i = to s 

compute and store (i,ylM*) 
for j = to t 

compute Mj — AP" 

if Mj = AM'\ for some i, return js — i 



There are a couple of points that have to be made about this algorithm. The first is that 
we need to produce a good method of storing the matrices. This could be possible with a 
hash function, in which case insertion and lookup is constant in time. However, our matrices 
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are fairly complex objects, and we need to take into account the storage requirements of the 
algorithm. 

Furthermore, we should note that the order of our chosen random matrix M is much 
smaller than that of the whole group ring. Hence, it may be possible to use a smaller value 
of n as an input. However, this requires knowledge of the order of M. As little is known 
about the structure of this group ring, we are not guaranteed that the order exists in the 
usual sense. We are basically back to looking for orbit collisions as in our Section [5. 2[ 

Each entry in the matrix can be represented by a sequence of 120 (three-bit) coefficients. 
We can use a 360 bit string where we encode each three-bit sequence with the value of the 
coefficient of that polynomial term in Z7[S'5]. Hence each matrix will need 360 x 4 bits of 
storage. In this algorithm we are required to store ^/\M^^{Z^i\S^\ = ^/T^ ~ 10^^^ such 
matrices. In order to store all these matrices we would need 1440 x 10^^^ bits of space. 
This works out to about lO^^^Ti? of (memory or hard drive) space. Thus, it looks like 
this algorithm is infeasible already in terms of space. Of course, storing the arrays can 
be optimized, e.g. we do not need to store entries with zeroes. However, the amount of 
information that we need to store, 10^^^ matrices, is still too big even if we only store the 
number of non-zero terms in the polynomials. 

One approach often suggested to decrease space requirements is to decrease s, hence in- 
creasing t. In this case the algorithm instead of running in 0{y/n) time will run in 0{n/t) 
time. Every time we reduce by half the storage requirements, we end up doubling the running 
time of the algorithm. However, regardless of what s and t are chosen to be we still need to 
perform s + t group operations in the two loops. Given our constraints, the number of group 
operations is minimized when s = t = y/n. Hence, we need at least 10^^^ group operations 
to run this algorithm, which is again computationally infeasible. 

6.2. Other attacks. There are two other algorithms that have been suggested for solving 
the "classical" discrete logarithm problem. The first is the Pohlig-Hellman algorithm [6j. 
This algorithm relies on the order of a group element and the generalized Chinese remainder 
theorem to break the problem into smaller subproblems. 

Specifically, suppose the order of the element g & G is q. In the Diffie-Hellman scheme we 
wish to find an x such that = y. Suppose we know a factorization 

n 
i=l 

where the qi are relatively prime. Then we have 
By the Chinese remainder theorem we can write 

= Zg-^ X • • • X 

and we are left to solve n instances of the discrete logarithm problem in the smaller groups, 
i.e., defining gi = g'^^'^^, we must find the solutions {xi}f^^ for which g^"- = yi/'^'- = g^ . 

However, in our situation the order of matrices in M3(Z7[S'5]) does not relate to the size of 
the whole ring M3(Z7[55]). Again, under multiplication this ring is a semigroup, not a group, 
and the proportion of invertible elements in this semigroup is very small. Additionally, the 
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size of this ring is 7^^^^^ so the Chinese remainder theorem does not really help in breaking this 
problem into smaller parts. If, however, there was a way to break the problem into smaller 
subproblems, we would still need to solve the discrete logarithm problem in our setting, which 
so far as we know can only be done via brute force. 

The second algorithm proposed for solving the "classical" discrete logarithm problem is 
Pollard's rho algorithm [7]. The inputs are group elements M and A^, and the output is an 
integer n such that M"^ = N. The algorithm first looks for an orbit, which has the general 
form M°'N'^ = M'^N'^, for a, b, c and d G N. This is done by using Floyd's cycle-finding 
algorithm. As long as b ^ d, one can take the logarithm with base M to determine n: 

^a + blogMN = c + dlogMN 
a — c 

^^=logMiV 

=^ = N 

However, in applying Floyd's cycle-finding algorithm in Pollard's rho attack, the knowledge 
of the order of the cyclic group generated by M is essential. In our situation, not only is the 
order of M unknown, but more importantly, since a random M is not going to be invertible 
with overwhelming probability, order considerations are not applicable, and therefore neither 
is Pollard's rho attack, at least in its standard form. 

6.3. Quantum Algorithm Attacks. It is well known that many cryptographic protocols 
are vulnerable to quantum algorithm attacks [9j. In particular, the Diffie-Hellman proto- 
col can be attacked using Shor's algorithm. This algorithm basically recasts the discrete 
logarithm problem as a hidden subgroup problem (HSP) and uses the quantum algorithms 
developed for HSP to recover the exponent. 

We believe that our protocal is secure against such attacks. The HSP relies on the existence 
of a function / : G — )• S, for some set S, such that / is constanct on cosets of the unknown 
subgroup H < G and also takes on distinct values for each coset. For the discrete log we 
define / : Zjv x Zjv — G, such that /(a, 6) = g'^x^, where o, 6 S Z^v, g,x ^ G, g°' = x and 
\g\ = N. We can rewrite this as f{a,b) = g"-+b-io9g^ ^ and hence / is constant on the sets 
Lc = {{a,b)\a + bloggX = c}. 

In this setup the hidden subgroup we are seeking is 

H = Lo = {iO,0), (loggX, -1), (21og^ x,-2),-- - , (NloggX, -N)}. 

To be able to apply this algorithm one would need to know the order of a matrix. However, 
this is not known a priori and it is also the case that invertible matrices are sparse in our 
setup. Hence in our setup the function / is ill-defined. 

Furthermore, given a random non-invertible matrix it is unlikely that the function / will 
be distinct on cosets of the subgroup H or even constant on the different cosets. To see this 
assume M is a non-invertible matrix, then powers of M will either end up in an orbit or will 
eventually become the zero matrix. If we are in an orbit, assume for example that = M^^ 
and the exponent we are seeking is a = 12. The subgroup we are trying to identify is H = 
{(0, 0), (12, -1), (24, -2), (36, -3), • • • }. From the setup we note that (36, -3) ~ (18, -3), but 
(18,-3) ^ i7, for if it were then (36, —3) — (18, —3) = (18,0) G if, which is a contradiction. On 
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the other hand, assume some power of M is the zero matrix, say M"^^ = 0, and again a = 12. 
In this case / is no longer constant on the subgroup H as Q = /(24, —2) ^ /(12, —1) = I. 

7. Conclusions 

Our contribution here is proposing the semigroup of matrices (of a small size, 2 x 2 or 3 x 3) 
over the group ring Z7[S'5], with the usual matrix multiplication operation, as the platform 
for the Diffie-Hellman key exchange scheme. What we believe is the main advantage of our 
platform over the standard Z* platform in the original Diffie-Hellman scheme is that the 
multiplication of matrices over Z7[5'5] is very efficient. In particular, in our setup multiplying 
elements is faster than multiplying numbers in Zp for a large p. This is due to the fact 
that one can pre-compute the multiplication table for the group (of order 120), so in 
order to multiply two elements of Z7[S'5] there is no "actual" multiplication involved, but 
just re- arrangement of a bit string of length 3 x 120. Also, no reduction modulo a large p is 
involved. 

To verify the security of using such a semigroup of matrices as the platform, we have 
experimentally addressed the Decision Diffie-Hellman assumption (Section [s]) and showed, 
by using Q-Q plots (or quantile plots) that after 500 runs of the experiment, two distributions, 
one generated by M""^ and the other generated by M'^ for a random c, are indistinguishable, 
thereby experimentally confirming the DDH assumption for our platform. Furthermore, no 
information is leaked from by comparing it to a random matrix N . 

From the security point of view, the advantages of our platform over Zp also include the 
fact that neither "standard" attacks (baby-step giant-step, Pohlig-Hellman, Pollard's rho) 
nor quantum algorithm attacks work with our platform, as we showed in Section [6} 
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8. Appendix: a challenge 

Here we present a challenge relevant to our Diffie-Hellman- like scheme: given explicit 3x3 
matrices M, M", and over the group ring Z2[5'5], recover the matrix M"''. Note that our 
recommended platform ring is actually Z7[S'5], but we believe that breaking our challenge is 
currently infeasible even for Z2[S'5]. 
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